OTP may known as new generation of password security techniques, but I want to know does it still safe enough after several years of appearance or it will deprecate soon? & what would be the possible replacement for that?

2 Answers
2

One-Time Passwords (not to be confused with "One-Time Pad", a theoretically perfect but practically heavyweight technique for encryption) are a sound concept which cannot, as itself, deprecate. It just means: a given password (i.e. a secret value shared between prover and verifier, used for authentication) can be used just once with the verifier; in other words, if the verifier (e.g. a server you want to log on) accepts a password but will reject any further attempt with the same password, then it is a one-time password.

One-Time Password schemes are systems which use the One-Time Password concept and establish rules and mechanisms for the two parties (prover and verifier) to actually share one-time passwords. Any given scheme can be weak or strong, broken, deprecated... but the concept is unharmed.

RSA SecurID tokens can be viewed as an incarnation of the concept of one-time passwords -- a variant with a clock, actually -- and they are very much alive.

HOTP is a free and open standard for generation of one-time passwords (with an internal counter), which can be implemented by extremely cheap hardware tokens.

(Traditional one-time password authentication schemes for Unix servers use software generation of lists of passwords, which users are supposed to print and keep in their wallet, striking out used passwords. This never got popular -- I guess it is too low-tech; users are not amazed enough to forget the inconvenience of fiddling with a tangible object).

One time passwords (as implemented by RSA SecurID or other vendors) are theoretically safe but as with all security controls have limits that must be considered when designing your security system.

The OTP implementation may have implementation or design flaws that may permit to circumvent them.

OTP can be intercepted and used by attackers through the intermediary of trojans or XSS attacks for instance at the authentication stage (often with an apparent denial of service to you as a user since another party is using your freshly inputted OTP, thus invalidating it).

Most importantly, OTP systems often limits themselves to authenticate a user instead of authenticating a transaction. Once a user is authenticated, a trojan may re-use your authenticated web session with your bank for instance to perform transactions on your behalf in a sneaky manner.

Although I think OTPs still have a bright future ahead of them, they will be augmented with further security controls and will in particular increasingly try to address the problem of transaction authentication instead of limiting themselves to authenticating the user only.